On Fri, 6 Sep 2019 09:25:39 -0400, Eric Naujock via 4D_Tech wrote: > as I look closer at it with questions from a state government > security person I can see a number of glaring holes that should be > filled. These are the biggest ones I see. > > 1. Passwords are only alphanumeric. ?? what else do you want? letters, numbers, and any (as far as I have found) other key and/or combinations, including [odd to US entry] characters which include umlauts(sp?), and other multi-keystroke characters.
There maybe a maximum length but I have not entered sufficient characters to find it. > 2. No two factor options. true - as someone else pointed out adding it possible. > 3. Usernames and password are stored in the Structure file. (Very bad > if your revving structure files during continuous developemnt. it requires only a small bit of code to save (and encrypt) the user group info to a disk file or into the data file, or both. > 4. No account lockouts for fail authentication attempts. An attacker > can just continuously try usernames and passwords indefinitely. the only workaround is to have to write your own login dialog. I do not know if this is viable for iOS or web based access. > 5. The AD options require that you serve from a windows server bound > to and AD system. You cannot use this if you have Mac clients or a > Apple server. As far as I am aware, this is not true. Mac can be (and we have some which are) part of the enterprise AD. > 6. No ability to define password difficulty or force password changes > periodically. (I know that need to change passwords regularly has > been debunked but most govt. best practice documents still believe > that’s the way to go.) again - tying into an augmented user system allows this, and is not difficult to manage. In summary, while I do not do all of the above, I do 'augment' the 4D user system. It seems to me that most anyone using a4D system with a user login needs to augment it for their own needs; where is the user located, their phone number, email address etc.... adding most of the above additional security options is not hard. I will admit that the no attempt limit could be problematic, and I have not tried to resolve that issue, but otherwise I believe that all of the above mentioned issue can be simple resolved. Could 4D implement some (or all) of these things - sure. Chip --------------- Gas is for washing parts Alcohol is for drinkin' Nitromethane is for racing ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************
